Print. Scan. Protect. HP Highlights the Importance of Network Print Security

By Jessica Schiffenhaus, Associate Editor, and Marlene Orr, Senior Analyst, Printers/A4 MFPs, September 9, 2014

Data security is serious stuff. Anyone who follows the news, whether it’s financial, retail or celebrity-related, has seen countless stories regarding security breaches of personal data. At an analyst briefing in NYC, HP highlighted the importance of IT security for business and introduced a number of products and solutions to help ease the pain of the IT director trying to make printing safer for their organization.

Michael Howard, Worldwide Security Practice Lead for Managed Services of HP's Printing and Personal Systems Group (PPSG), kicked things off by presenting some eye-opening numbers. A 2013 survey shows the average cost of a data breach is about $5.4 million (or about $136 per individual record); this also includes the cost of reputation damage and fines, which have become the rule rather than the exception. Howard also noted that about 65 percent of corporate security breaches are internal. Tying this directly to printing, nearly 90% of enterprise customers surveyed experienced a data breach due to unsecured printing. This could have been due to an employee inadvertently sending a job to the wrong printer or perhaps getting sidetracked after sending a sensitive job, which then gets picked up by another employee.

IT security spending is on the rise in corporate environments as the number and types of regulations increase. Howard noted that security for printers and MFPs pales in comparison to that for network PCs and servers. Ideally, every device on the network should be an equal network citizen because each endpoint on the network, if not secured, can be the target for hackers who continually become more creative in the complexity of their attacks. HP feels using a multilayer strategy is the best bet to stave off these attacks: step one is to secure the MFP, step two is to control access and step three is to secure the data within the document.

Security Starts with the Hardware

Because security should start with the device itself, HP noted that some of its devices have more than 200 security settings that can be adjusted, and every printer and MFP with a hard drive includes standard encryption.

As part of the broader security announcement, HP announced availability of three new printer and MFP families. Designed for small workgroups of one to five users, the LaserJet Pro M201/M202 printers and LaserJet Pro MFP M225/M226 series models offer entry-level users affordable monochrome devices with “professional” network security features. These models are compatible with HP Imaging and Printing Security Center 2.1 (IPSC, covered later in this article).

The four MFPs, the LaserJet Pro MFP M225dn, LaserJet Pro MFP M225dw, LaserJet Pro MFP M226dn and LaserJet Pro MFP M226dw, replace the LaserJet Pro M1536dnf. The single-function printers, the LaserJet Pro M201dw, LaserJet Pro M202n and M202dw, replace the HP LaserJet Pro P1606dn. With mobility features, like HP ePrint, Apple AirPrint, Mopria-certification and wireless direct printing, not found on the previous-generation models (wireless direct available on the “dw” only), all seven models print at 26 ppm (same speed as previous generation models) but have more memory than that of the previous generation model (128 MB versus 64 MB for the printer and 256 MB versus 128 MB for the MFP). The M201dw and M202dw both include wired and wireless networking and standard automatic duplexing, while the M202n includes a wired connection and manual duplexing. All four MFPs include a 35-sheet ADF. While the “dn” MFPs include a two-line text display, the “dw” MFPs feature a color touch-screen interface. Security features include a password-protected embedded web server, along with port disablement and SNMPv1.

At the high-end, HP announced its new monochrome flagship device. Before we go into the details of that product, though, let’s go over a quick history lesson. Back in 2004, HP created a new category of printer MFPs: the large workgroup mono MFP. Vyomesh Joshi (VJ), then executive vice president of HP’s Imaging and Printing Group (IPG), claimed HP would turn the copier market on its head with the announcement of the 45-ppm LaserJet 4345. HP asserted that this printer MFP was designed to take pages from the A3/copier market. The 4345 was replaced two years later with the LaserJet M4345, which included a more intuitive menu system and a higher capacity hard drive, but otherwise remained largely unchanged from the original design. A testament to the success of the M4345, it took HP nearly five years to replace it, this time with the 55-ppm LaserJet Enterprise M4555. And now, three years later, HP announces the 60-ppm M630 series. The marketing message and positioning for the M630 series remains pretty much the same: only about 3% of general office output is on 11”-x-17” output, so a robust, yet more affordable legal-size device can meet the needs of most offices, according to HP.

Designed for workgroups of 10 to 25 users in enterprise environments, the fully configured LaserJet Enterprise Flow MFP M630z represents HP’s seventh “Flow” device. Like all products under the “Flow” brand, the LaserJet Enterprise Flow MFP M630 includes a built-in retractable keyboard to simplify data entry, a robust scanner with HP EveryPage technology (ultrasonic multi-feed detection and multi-step page separation process to detect and prevent misfeeds and multi-picks in the document feeder), dual scan heads to scan both sides of a page in a single pass, embedded OCR, scan to SharePoint and standard integration with the subscription-based Flow CM (cloud-based content management) software. This legal-size monochrome MFP outputs at up to 60 ppm and replaces the LaserJet Enterprise M4555 MFP series.

Other models in the family include the non-Flow versions of the device, which lack the more robust scanner and built-in keyboard: the base model LaserJet Enterprise MFP M630dn lacks a hard drive and includes standard automatic duplexing and a 600-sheet paper capacity, but lacks a hard drive; the LaserJet Enterprise MFP M630h adds a standard 320-GB secure hard drive with encryption; and the LaserJet Enterprise MFP M630f, which adds faxing and includes a total paper capacity of 3,100 sheets. Estimated street prices range from $2,799 for the base model to $4,999 for the fully loaded “Flow” configuration.

Standard device security features, to name just a few, include code-signed firmware, port disablement, Common Criteria certification, LDAP and various other types of authentication. The hardware integration pocket can be used for an optional card reader or the NFC/Wireless Direct accessory. Encrypted secure printing is available through the Universal Print Driver (UPD), which can be downloaded for free from HP’s website.

Another new hardware accessory is the HP Trusted Platform Module (TPM), a chip that, once added to the formatter of a printer or MFP, can provide an extra level of security to safeguard user credentials and passwords stored on the device. The TPM wraps encrypted credentials in another layer of security and the TPM has its own root key. Certificate private keys are both generated and protected by the TPM, so sensitive client information, data and documents are safeguarded. The printer or MFP uses the created certificates to prove it is the device it claims to be. And because the certificate private keys never leave the TPM, the identity certificates cannot be spoofed or copied, helping ensure that information received from the device is genuine and that information sent to the device is going to the intended destination. When the device is decommissioned, the TPM will permanently delete the storage root key, and any data that was protected by it cannot be retrieved by anyone who subsequently has access to the device.

Lower Costs, Reduced Waste and More Security for Free

JetAdvantage Pull Print, another free security feature designed for businesses of all sizes, is slated for November 5th availability. Ideal for SMB users, who mainly want a simple, affordable—read: free—solution to reduce waste and secure sensitive documents, the JetAdvantage Pull Print cloud-based solution will be available for selected Officejet and LaserJet devices (specifically those with a touch-screen interface), without added costs for servers, storage and software. IT administrators can sign up for a free account at Once set up, they can track and manage the Pull Print feature via the JetAdvantage On Demand website, a centralized web-based dashboard. The dashboard can be used to track and monitor usage and add users, either individually or by using a CSV file or Active Directory to push the data into the account.

Once the capability goes live, users then download the ePrint driver from HP’s website to begin using Pull Print. The solution uses 256-bit AES to safely transmit print data to the public cloud, where it is held securely, until a user authenticates at the device. At the control panel, users simply press the HP JetAdvantage Pull Print icon, sign in and select their held jobs from the queue. Once the job is selected, users can choose simple settings (simplex/duplex, mono/color and number of copies), as well as selecting whether the job should be held or deleted after printing. If users forget to delete after printing or forget to release the jobs entirely, data will only be held for three days after sending. Using this solution lets users send their jobs and retrieve them from any compatible printer, which not only reduces waste but also ensures sensitive data and documents don’t end up in the wrong hands.

Thinking Outside the Box: Advanced Security Solutions

Unsecured printing environments can leave organizations vulnerable to hackers and security breaches. But securing document imaging devices is complex. As noted above, HP printers and MFPs have over 200 security settings that can be configured to increase security. Not such a big deal for one printer, but that becomes quite a daunting task if the network includes dozens or even hundreds of printers and MFPs. And, even if security settings are in place, a system reboot or firmware upgrade can potentially wipe them out, with no notification to an administrator.

Imaging and Printing Security Center (IPSC) 2.1 provides administrators with a simple way to make sure a fleet of HP devices complies with an organization’s security policies. By eliminating the need to manually set policies, update security certificates and change security settings for each device on the network, IPSC saves administrators hours of work. IPSC 2.0 received an Outstanding Achievement award during BLI’s Winter 2013 Pick season for its unique functionality, which includes the ability to monitor fleets for compliance issues, automatically change 150+ security settings remotely to bring devices back into compliance and apply settings to new devices automatically, create valid policies with the intelligent policy editor, and more. Version 2.1 brings the ability to manage security certificates across an entire fleet of devices at once. According to HP, the process of installing security certificates can take upwards of 15 minutes per device, which, when managing a fleet of 1,000 devices, really adds up. IPSC handles this process automatically, as well as updates certificates as needed, saving administrators hours.

In order to help administrators decide which security measures are right for their organizations, prior to implementing such a solution, HP is now offering HP Print Security Advisory Services. After an analysis of an organization’s printing environment, the consulting service will recommend policies to put in place and additional security solutions to deploy, if necessary.

As mentioned earlier, more than half of security breaches are internal. While some incidents may be purely unintentional, such as documents left in the output tray, other risks come from employees accessing and transmitting documents with sensitive information. HP’s new Secure Content Management and Monitoring solution proactively monitors data for confidential information and whether the file is scanned, copied, printed or faxed.

SCMM comprises several solutions: HP Access Control, which identifies users and attaches them to their documents; HP Capture and Route, which takes the document, captures the image and performs OCR to create two files (text and image); HP Autonomy Records Manager, which is the database that hosts the files; and HP Autonomy Control Point, which reads the data and searches for keywords. Unlike some solutions that require administrators to manually search for keywords, SCMM actively monitors the database and alerts administrators if it detects anything. In addition to searching for words set by the administrator, SCMM can detect different types of personal identification information, such as a social security number, and see if the document was copied or printed, for example. The solution can detect a document type by analyzing the frequency of clusters of words, and intelligently learn new types. Administrators can create different rules for different scenarios, such as blocking output of a particular type of document or preventing a user from making copies of a document. Secure Content Management and Monitoring is slated for availability in February 2015.

Additionally, HP announced that its security monitoring solution, ArcSight, now includes monitoring of HP FutureSmart printers and MFPs. ArcSight captures device logs and events and automatically highlights potential risks such as authentication failures, configuration changes and after-hours printing.

Republished with permission from Buyers Laboratory LLC ( ©2013 Buyers Laboratory LLC